The Call for Papers for the fourth annual HITBSecConf in Europe is now open. Taking place from the 8th through the 11th of April at the Okura Hotel in Amsterdam, it will be a triple track conference featuring keynotes by Eddie Schwartz, Chief Information Security Officer at RSA and Bob Lord, Chief Security Officer at Twitter.

The Call for Papers for the fourth annual HITBSecConf in Europe is now open. Taking place from the 8th through the 11th of April at the Okura Hotel in Amsterdam, it will be a triple track conference featuring keynotes by Eddie Schwartz, Chief Information Security Officer at RSA and Bob Lord, Chief Security Officer at Twitter.

Authors: Markus BeckedahlRalf BendrathTags: socialEvent: Chaos Communication Camp 2003Abstract: The World Summit on the Information Society (WSIS) is the latest in a long series of world summits organized by the United Nations that deal with central questions of humanity like the environment, women‚s rights, development, climate change, etc. At the WSIS, information and communication are on the agenda for the first time. The world summit is supposed to develop a common understanding of the information society. In Germany, a WSIS working group initiated by the Network New Media has been meeting continuously since summer 2002. The group has debated the themes of the WSIS, developed civil society positions and planned own interventions. Since January 2003, three open meetings of this working group with members of other non-governmental organizations, alternative media and scientific institutions have been held in Berlin. The working group was expanded and officially established as the "German Civil Society Coordinating Group for WSIS". Delegates of the group have attended important European and world-wide preparatory conferences. They monitor the developments and try to influence the agenda in favor of civil society demands. Single members of the working group are engaged in the sub-committees and caucuses of the international Civil Society Plenary Coordination Group. For the worldwide preparatory meeting in Paris in July, the group sent Georg Greve, President of the Free Software Foundation, Europe, as a civil society delegate into the German governmental delegation. Other members of the group are involved in the counter and alternative summit activities that are currently being planned by media and computer activists, such as the Polymedia lab or the World Forum on Communication Rights. In this panel at the ccc-camp we want to talk about and discuss the topics of the WSIS. What is going on globally and which positions do the different Players like governments, civil society and business have? What are the positions, campains and activities of the global civil society? What is happening especially in Germany? How can civil society use the attention while the WSIS is going on to transport alternative topics like freedoms of information, free software and human rights in the information society?

Authors: Markus BeckedahlRalf BendrathTags: socialEvent: Chaos Communication Camp 2003Abstract: The World Summit on the Information Society (WSIS) is the latest in a long series of world summits organized by the United Nations that deal with central questions of humanity like the environment, women‚s rights, development, climate change, etc. At the WSIS, information and communication are on the agenda for the first time. The world summit is supposed to develop a common understanding of the information society. In Germany, a WSIS working group initiated by the Network New Media has been meeting continuously since summer 2002. The group has debated the themes of the WSIS, developed civil society positions and planned own interventions. Since January 2003, three open meetings of this working group with members of other non-governmental organizations, alternative media and scientific institutions have been held in Berlin. The working group was expanded and officially established as the "German Civil Society Coordinating Group for WSIS". Delegates of the group have attended important European and world-wide preparatory conferences. They monitor the developments and try to influence the agenda in favor of civil society demands. Single members of the working group are engaged in the sub-committees and caucuses of the international Civil Society Plenary Coordination Group. For the worldwide preparatory meeting in Paris in July, the group sent Georg Greve, President of the Free Software Foundation, Europe, as a civil society delegate into the German governmental delegation. Other members of the group are involved in the counter and alternative summit activities that are currently being planned by media and computer activists, such as the Polymedia lab or the World Forum on Communication Rights. In this panel at the ccc-camp we want to talk about and discuss the topics of the WSIS. What is going on globally and which positions do the different Players like governments, civil society and business have? What are the positions, campains and activities of the global civil society? What is happening especially in Germany? How can civil society use the attention while the WSIS is going on to transport alternative topics like freedoms of information, free software and human rights in the information society?

Authors: Ville OksanenTags: lawEvent: Chaos Communication Congress 18th (18C3) 2001Abstract: Digital Rights Management (DRM) does not work without legal protection. Consequently World Intellectual Property Organisation's (WIPO) Copyright Treaty (WCT) and WIPO Performances and Phonograms Treaty have a provision, which requires signing countries to change their legislation to give this protection. Digital Millennium Copyright Act (DMCA)in USA and EU Copyright directive (EUCD) are results of this changing process. EUCD has not yet been implemented in the member countries, but it has to be before 22. December 2002. One of the most crucial questions to scientific world is what kind of exceptions exist or will exist to shield the research (cryptography etc), which contradicts with the protection these laws are supposed to offer. This paper describes and analyses this question in detail. In particular the paper presents practical guidelines for developers' experimenting with cryptography. Finally this article address the question, what can be done in Europe to affect the outcomes of national implementations of EUCD to give the widest possible protection to research in these questions.

Authors: Roger DingledineTags: TorEvent: Chaos Communication Congress 21th (21C3) 2004Abstract: Tor is a free-software anonymizing network for web browsing, instant messaging, etc. Our deployed network has thousands of users. I'll talk about design decisions, some everyday uses for anonymity networks, and where we need to go from here. Tor (second-generation Onion Routing) is a distributed overlay network that anonymizes TCP-based applications like web browsing, secure shell, and instant messaging. We have a deployed network of 50 nodes in the US and Europe, and the code is released unencumbered as free software. Tor's rendezvous point design enables location-hidden services -- users can run a standard webserver or other service without revealing its IP. I'll give an overview of the Tor architecture, and talk about why you'd want to use it, what security it provides, and how user applications interface to it. I'll show a working Tor network, and invite the audience to connect to it and use it.

Authors: Roger DingledineTags: TorEvent: Chaos Communication Congress 21th (21C3) 2004Abstract: Tor is a free-software anonymizing network for web browsing, instant messaging, etc. Our deployed network has thousands of users. I'll talk about design decisions, some everyday uses for anonymity networks, and where we need to go from here. Tor (second-generation Onion Routing) is a distributed overlay network that anonymizes TCP-based applications like web browsing, secure shell, and instant messaging. We have a deployed network of 50 nodes in the US and Europe, and the code is released unencumbered as free software. Tor's rendezvous point design enables location-hidden services -- users can run a standard webserver or other service without revealing its IP. I'll give an overview of the Tor architecture, and talk about why you'd want to use it, what security it provides, and how user applications interface to it. I'll show a working Tor network, and invite the audience to connect to it and use it.

Authors: Roger DingledineTags: TorEvent: Chaos Communication Congress 21th (21C3) 2004Abstract: Tor is a free-software anonymizing network for web browsing, instant messaging, etc. Our deployed network has thousands of users. I'll talk about design decisions, some everyday uses for anonymity networks, and where we need to go from here. Tor (second-generation Onion Routing) is a distributed overlay network that anonymizes TCP-based applications like web browsing, secure shell, and instant messaging. We have a deployed network of 50 nodes in the US and Europe, and the code is released unencumbered as free software. Tor's rendezvous point design enables location-hidden services -- users can run a standard webserver or other service without revealing its IP. I'll give an overview of the Tor architecture, and talk about why you'd want to use it, what security it provides, and how user applications interface to it. I'll show a working Tor network, and invite the audience to connect to it and use it.

[Julian] was really excited to get his hands on a Nest learning thermostat. It’s round, modern design will make it a showpiece in his home, but he knew there would be a few hiccups when trying to take advantage of its online features. That’s because [Julian] lives in Spain, and Nest is only configured to [...]

Authors: Holger KrekelTags: technologyEvent: Chaos Communication Congress 21th (21C3) 2004Abstract: FOSS culture hacks^h^h^h^h meets the EU buerocracy. It is not easy for FOSS projects to get $$$ funding by the European Union. We'll look and discuss how it played out for the PyPy project, a language project targetting itself with a "Münchhausen" approach. We'll try to see why it took the project - tackling deeply technical issues - one year to communicate "correctly" with the European Union. Programmers deal with rule systems and their execution. On the other hand, the European Union issues a lot of rules which are executed by the "commission" and its employees. Within the 6th research framework programme 20.000.000.000 $ will be distributed towards research projects across Europe between 2002-2006. No surprise, the formal rules a project has to live by just for the application is somewhat amazing. FOSS hackers, on the other hand, are used to communicate and adapt to a multitude of programs and systems. Looking from the right angle, it can be interesting to understand how an EU funded project is supposed to work. Even if you don't usually find arbitrary rule systems and their execution interesting you may learn some interesting bits and pieces about how (not) to interact with the EU - should you decide that your project is ready or desparate enough to go that way. Some of these "bits and pieces" can take weeks to research and be summarized in 3 minutes.

Authors: Holger KrekelTags: technologyEvent: Chaos Communication Congress 21th (21C3) 2004Abstract: FOSS culture hacks^h^h^h^h meets the EU buerocracy. It is not easy for FOSS projects to get $$$ funding by the European Union. We'll look and discuss how it played out for the PyPy project, a language project targetting itself with a "Münchhausen" approach. We'll try to see why it took the project - tackling deeply technical issues - one year to communicate "correctly" with the European Union. Programmers deal with rule systems and their execution. On the other hand, the European Union issues a lot of rules which are executed by the "commission" and its employees. Within the 6th research framework programme 20.000.000.000 $ will be distributed towards research projects across Europe between 2002-2006. No surprise, the formal rules a project has to live by just for the application is somewhat amazing. FOSS hackers, on the other hand, are used to communicate and adapt to a multitude of programs and systems. Looking from the right angle, it can be interesting to understand how an EU funded project is supposed to work. Even if you don't usually find arbitrary rule systems and their execution interesting you may learn some interesting bits and pieces about how (not) to interact with the EU - should you decide that your project is ready or desparate enough to go that way. Some of these "bits and pieces" can take weeks to research and be summarized in 3 minutes.

Authors: Holger KrekelTags: technologyEvent: Chaos Communication Congress 21th (21C3) 2004Abstract: FOSS culture hacks^h^h^h^h meets the EU buerocracy. It is not easy for FOSS projects to get $$$ funding by the European Union. We'll look and discuss how it played out for the PyPy project, a language project targetting itself with a "Münchhausen" approach. We'll try to see why it took the project - tackling deeply technical issues - one year to communicate "correctly" with the European Union. Programmers deal with rule systems and their execution. On the other hand, the European Union issues a lot of rules which are executed by the "commission" and its employees. Within the 6th research framework programme 20.000.000.000 $ will be distributed towards research projects across Europe between 2002-2006. No surprise, the formal rules a project has to live by just for the application is somewhat amazing. FOSS hackers, on the other hand, are used to communicate and adapt to a multitude of programs and systems. Looking from the right angle, it can be interesting to understand how an EU funded project is supposed to work. Even if you don't usually find arbitrary rule systems and their execution interesting you may learn some interesting bits and pieces about how (not) to interact with the EU - should you decide that your project is ready or desparate enough to go that way. Some of these "bits and pieces" can take weeks to research and be summarized in 3 minutes.

Tags: IPv6Event: Chaos Communication Congress 22th (22C3) 2005Abstract: After a short introduction on the differences of IPv4 to IPv6, the weaknesses in IPv6 will be shown. Highlight of the talk is the presentation of the THC-IPV6 Attack Toolkit, which includes all IPv6 attacks as well as a low level packet library for easy crafting packets. IPv6 is arriving slowly in Europe, but an important topic in Japan and South Korea, as IPv4 addresses are scarce. IPv6 will change the issues of security and hacking by a large degree. This speech will give a short introduction on the protocol differences, then show the vulnerabilities in the protocols and finally present the THC-IPV6 Attack Toolkit which includes the tools for all vulnerabilities shown, as well as a very easy packet crafting library.

Tags: IPv6Event: Chaos Communication Congress 22th (22C3) 2005Abstract: After a short introduction on the differences of IPv4 to IPv6, the weaknesses in IPv6 will be shown. Highlight of the talk is the presentation of the THC-IPV6 Attack Toolkit, which includes all IPv6 attacks as well as a low level packet library for easy crafting packets. IPv6 is arriving slowly in Europe, but an important topic in Japan and South Korea, as IPv4 addresses are scarce. IPv6 will change the issues of security and hacking by a large degree. This speech will give a short introduction on the protocol differences, then show the vulnerabilities in the protocols and finally present the THC-IPV6 Attack Toolkit which includes the tools for all vulnerabilities shown, as well as a very easy packet crafting library.

Tags: IPv6Event: Chaos Communication Congress 22th (22C3) 2005Abstract: After a short introduction on the differences of IPv4 to IPv6, the weaknesses in IPv6 will be shown. Highlight of the talk is the presentation of the THC-IPV6 Attack Toolkit, which includes all IPv6 attacks as well as a low level packet library for easy crafting packets. IPv6 is arriving slowly in Europe, but an important topic in Japan and South Korea, as IPv4 addresses are scarce. IPv6 will change the issues of security and hacking by a large degree. This speech will give a short introduction on the protocol differences, then show the vulnerabilities in the protocols and finally present the THC-IPV6 Attack Toolkit which includes the tools for all vulnerabilities shown, as well as a very easy packet crafting library.

Authors: Elektra WagenradTags: networkP2PEvent: Chaos Communication Congress 22th (22C3) 2005Abstract: Olsr.org's improved algorithm (compared to the initial INRIA OLSR draft) and how it may influence the development of ubiquitous free wireless networks. The Optimized Link State Routing Deamon - olsrd - from olsr.org is a routing application developed by community networking activists for wireless mesh networks. It is a open-source project that supports Mac OS-X, Window$ 98, 2000, XP, Linux, FreeBSD, OpenBSD and NetBSD. The application is available for Accesspoints that run Linux like the Linksys WRT54G, Asus Wl500g, Asus Wireles Harddrive, 4G Access Cube or Pocket PCs running Familiar Linux. Olsrd is a tremendous success. Community Wifi Networks all over the world are using olsrd now - in South Africa, Europe, Asia, Nepal, to mention a few. Rumours say that the most prominent person that communicates using olsrd at the moment is the Dalai Lama in exile... I will show what is going on in olsrd, where we are heading to with the protocol, what you can actually do with it now and what are the differences to the initial INRIA OLSR draft.

Authors: Elektra WagenradTags: networkP2PEvent: Chaos Communication Congress 22th (22C3) 2005Abstract: Olsr.org's improved algorithm (compared to the initial INRIA OLSR draft) and how it may influence the development of ubiquitous free wireless networks. The Optimized Link State Routing Deamon - olsrd - from olsr.org is a routing application developed by community networking activists for wireless mesh networks. It is a open-source project that supports Mac OS-X, Window$ 98, 2000, XP, Linux, FreeBSD, OpenBSD and NetBSD. The application is available for Accesspoints that run Linux like the Linksys WRT54G, Asus Wl500g, Asus Wireles Harddrive, 4G Access Cube or Pocket PCs running Familiar Linux. Olsrd is a tremendous success. Community Wifi Networks all over the world are using olsrd now - in South Africa, Europe, Asia, Nepal, to mention a few. Rumours say that the most prominent person that communicates using olsrd at the moment is the Dalai Lama in exile... I will show what is going on in olsrd, where we are heading to with the protocol, what you can actually do with it now and what are the differences to the initial INRIA OLSR draft.

Authors: Elektra WagenradTags: networkP2PEvent: Chaos Communication Congress 22th (22C3) 2005Abstract: Olsr.org's improved algorithm (compared to the initial INRIA OLSR draft) and how it may influence the development of ubiquitous free wireless networks. The Optimized Link State Routing Deamon - olsrd - from olsr.org is a routing application developed by community networking activists for wireless mesh networks. It is a open-source project that supports Mac OS-X, Window$ 98, 2000, XP, Linux, FreeBSD, OpenBSD and NetBSD. The application is available for Accesspoints that run Linux like the Linksys WRT54G, Asus Wl500g, Asus Wireles Harddrive, 4G Access Cube or Pocket PCs running Familiar Linux. Olsrd is a tremendous success. Community Wifi Networks all over the world are using olsrd now - in South Africa, Europe, Asia, Nepal, to mention a few. Rumours say that the most prominent person that communicates using olsrd at the moment is the Dalai Lama in exile... I will show what is going on in olsrd, where we are heading to with the protocol, what you can actually do with it now and what are the differences to the initial INRIA OLSR draft.

EMV, also known as "Chip and PIN", is the leading system for card payments world- wide. It is used throughout Europe and much of Asia, and is starting to be introduced in North America too. Payment cards contain a chip so they can execute an authentication protocol. This protocol requires point-of-sale (POS) terminals or ATMs to generate a nonce, called the unpredictable number, for each transaction to ensure it is fresh. The authors have discovered that some EMV implementers have merely used counters, timestamps or home-grown algorithms to supply this number. This exposes them to a "pre-play" attack which is indistinguishable from card cloning from the standpoint of the logs available to the card-issuing bank, and can be carried out even if it is impossible to clone a card physically (in the sense of extracting the key material and loading it into another card).

EMV, also known as "Chip and PIN", is the leading system for card payments world- wide. It is used throughout Europe and much of Asia, and is starting to be introduced in North America too. Payment cards contain a chip so they can execute an authentication protocol. This protocol requires point-of-sale (POS) terminals or ATMs to generate a nonce, called the unpredictable number, for each transaction to ensure it is fresh. The authors have discovered that some EMV implementers have merely used counters, timestamps or home-grown algorithms to supply this number. This exposes them to a "pre-play" attack which is indistinguishable from card cloning from the standpoint of the logs available to the card-issuing bank, and can be carried out even if it is impossible to clone a card physically (in the sense of extracting the key material and loading it into another card).

MakerSlide, European edition We’re all familiar with the MakerSlide, right? The linear bearing system that has been turned into everything from motorized camera mounts to 3D printers is apparently very hard to source in Europe. A few folks from the ShapeOko forum have teamed up to produce the MakerSlide in the UK. They’re running a crowdsourced project [...]

Authors: Frank RiegerRop GonggrijpTags: privacyEvent: Chaos Communication Congress 22th (22C3) 2005Abstract: Come to terms with the imminent loss of privacy and civil rights without going lethargic. We will analyse current events, how we think they will affect the issues we care about and how we can be most effective given the new circumstances. Or possibly how to simply survive the times ahead. During this lecture, we will first analyse what is happening on a global scale with regards to privacy, civil rights, democracy, corporate control of the media and related issues. We will try to highlight trends and the interests and motivations behind them, and we will try to analyse which strategies work well and which ones don't, both from the Luke Skywalker and from the Darth Vader perspective. Among other things, we will examine recent events and current situation in The Netherlands as a model for a possible Fortress-Europe future. We are now deep inside the kind of future we speculated about as a worst case scneario, back then. This is the ugly future, the one we never wanted, the one that we fought to prevent. We failed. And even if it wasn't our fault, we still have to live in it. The activists among us will need to figure out how to exercise the maximum amount of influence in a radically different environment. A surprising number of our friends work on the dark side, or at least in the twilight zone. While it certainly would be better if the surveillance industry were to die from lack of talent, the more realistic approach is to keep talking to those of us who sold their souls. We need to know much more about the details, but the general technological roadmap for the user-friendly police state is probably as clear to us today as the Internet Future was clear to us in 1993. We must think of ways to leverage this foresight. In order to stay relevant in this future, we need to choose our battles extremely wisely and avoid knee-jerk responses to knee-jerk politics. We will argue that fighting all battles on all battlefields will demotivate the very people we depend on if we want to change things for the better. Surviving and still having fun might not be easy, but is certainly possible. We don't pretend to have (too many) ready-made answers, but we will point to some models, ideas and implementations.

Authors: Frank RiegerRop GonggrijpTags: privacyEvent: Chaos Communication Congress 22th (22C3) 2005Abstract: Come to terms with the imminent loss of privacy and civil rights without going lethargic. We will analyse current events, how we think they will affect the issues we care about and how we can be most effective given the new circumstances. Or possibly how to simply survive the times ahead. During this lecture, we will first analyse what is happening on a global scale with regards to privacy, civil rights, democracy, corporate control of the media and related issues. We will try to highlight trends and the interests and motivations behind them, and we will try to analyse which strategies work well and which ones don't, both from the Luke Skywalker and from the Darth Vader perspective. Among other things, we will examine recent events and current situation in The Netherlands as a model for a possible Fortress-Europe future. We are now deep inside the kind of future we speculated about as a worst case scneario, back then. This is the ugly future, the one we never wanted, the one that we fought to prevent. We failed. And even if it wasn't our fault, we still have to live in it. The activists among us will need to figure out how to exercise the maximum amount of influence in a radically different environment. A surprising number of our friends work on the dark side, or at least in the twilight zone. While it certainly would be better if the surveillance industry were to die from lack of talent, the more realistic approach is to keep talking to those of us who sold their souls. We need to know much more about the details, but the general technological roadmap for the user-friendly police state is probably as clear to us today as the Internet Future was clear to us in 1993. We must think of ways to leverage this foresight. In order to stay relevant in this future, we need to choose our battles extremely wisely and avoid knee-jerk responses to knee-jerk politics. We will argue that fighting all battles on all battlefields will demotivate the very people we depend on if we want to change things for the better. Surviving and still having fun might not be easy, but is certainly possible. We don't pretend to have (too many) ready-made answers, but we will point to some models, ideas and implementations.

RootedCON 2013 Call For Papers - RootedCON is a security congress that will take place between March 7 to 9, 2013 in Madrid (Spain). With an estimated capacity of 670 people, it is one of the largest specialized conferences ever undertaken in the country and one of the largest in Europe, with profiles of attendees ranging from students, state forces, through market professionals in IT security or simply technology enthusiasts.

RootedCON 2013 Call For Papers - RootedCON is a security congress that will take place between March 7 to 9, 2013 in Madrid (Spain). With an estimated capacity of 670 people, it is one of the largest specialized conferences ever undertaken in the country and one of the largest in Europe, with profiles of attendees ranging from students, state forces, through market professionals in IT security or simply technology enthusiasts.

Authors: Paul BöhmTags: socialEvent: Chaos Communication Camp 2007Abstract: Great things rarely happen just because of good people or great ideas. For something interesting to happen opportunity, vision, and the ability to execute must come together. Why are there so few European ICT startups? If you've been following EU Reports on Innovation, you can see how bad the situation is already. In the words of the former Finnish Prime Minister, Mr. Esko Aho, in what is the Europan Union's prime document outlining a strategy for creating an innovative Europe: "Europe and its citizens should realize that their way of life is under threat[...] This society, averse to risk and reluctant to change, is in itself alarming but it is also unsustainable in the face of rising competition from other parts of the world." This talk explores Europe's seeming inability to innovate in ICT, looks for explanations from the perspective of founders, and tries to offer solutions to Europe's Innovation Dilemma.

Authors: Marco GerckeTags: cybercrimeEvent: Chaos Communication Camp 2007Abstract: The need for new investigation instruments in the fight against Cybercrime is a topic that is currently discussed on an intensive level – not only in Germany and not only in Europe. One instrument that is in the focus of the law-makers is the online search. Listening to the promoters of such an instruments it is easy to get the impression that the online search is the key to an effective fight against cybercrime – but is it really? The presentation summaries the discussion, highlights potential difficulties and points out alternative solutions. From my point of view it could be interesting to combine the legal issues with a technical approach.

Authors: Marco GerckeTags: cybercrimeEvent: Chaos Communication Camp 2007Abstract: The need for new investigation instruments in the fight against Cybercrime is a topic that is currently discussed on an intensive level – not only in Germany and not only in Europe. One instrument that is in the focus of the law-makers is the online search. Listening to the promoters of such an instruments it is easy to get the impression that the online search is the key to an effective fight against cybercrime – but is it really? The presentation summaries the discussion, highlights potential difficulties and points out alternative solutions. From my point of view it could be interesting to combine the legal issues with a technical approach.

Tags: data retentionEvent: Chaos Communication Congress 23th (23C3) 2006Abstract: The EU adopted a directive on the retention of data regarding the communications, movements and use of media of all 365 mio. EU citizens. The struggle is now continuing on the national levels, and privacy groups are preparing legal, political and technical challenges to this surveillance scheme. A year ago, the European ministers of justice and home affairs struck a deal with the European parliament and the commission according to which personal data regarding the communications, movements and use of media of all 365 mio. EU citizens is to be collected and stored for up to two years. While the EU directive 2006/24 EG on data retention has entered into force in May 2006, the struggle is continuing. The panel of three key anti-data retention activists will present to you the latest political and legal developments in this field in Europe and overseas. Two antagonistic trends can be observed: On the one hand, some member states such as Denmark have started the implementation process, as expected with a broader scope of data to be stored than is required by the directive. The United States are also moving towards data retention, and hardware vendors are preparing to sell the necessary surveillance equipment to telcos and ISPs. On the other hand, the opposition against this step towards a police state is growing. A number of EU member states have announced that they will postpone the retention of internet traffic data. The Irish government is challenging the entire directive before the European Court of Justice. Privacy groups are preparing legal, political and technical challenges. The panel of three key anti-data retention activists will present to you the latest political and legal developments in this field in Europe and overseas.

Tags: data retentionEvent: Chaos Communication Congress 23th (23C3) 2006Abstract: The EU adopted a directive on the retention of data regarding the communications, movements and use of media of all 365 mio. EU citizens. The struggle is now continuing on the national levels, and privacy groups are preparing legal, political and technical challenges to this surveillance scheme. A year ago, the European ministers of justice and home affairs struck a deal with the European parliament and the commission according to which personal data regarding the communications, movements and use of media of all 365 mio. EU citizens is to be collected and stored for up to two years. While the EU directive 2006/24 EG on data retention has entered into force in May 2006, the struggle is continuing. The panel of three key anti-data retention activists will present to you the latest political and legal developments in this field in Europe and overseas. Two antagonistic trends can be observed: On the one hand, some member states such as Denmark have started the implementation process, as expected with a broader scope of data to be stored than is required by the directive. The United States are also moving towards data retention, and hardware vendors are preparing to sell the necessary surveillance equipment to telcos and ISPs. On the other hand, the opposition against this step towards a police state is growing. A number of EU member states have announced that they will postpone the retention of internet traffic data. The Irish government is challenging the entire directive before the European Court of Justice. Privacy groups are preparing legal, political and technical challenges. The panel of three key anti-data retention activists will present to you the latest political and legal developments in this field in Europe and overseas.

Authors: Rop GonggrijpTags: electionEvent: Chaos Communication Congress 23th (23C3) 2006Abstract: This talk covers the dutch campaign against unverifiable voting on computers, which is part of a growing movement world-wide to reject these computers. Successes in Ireland and (surprise) the US seem to indicate that media, law-makers and the general public are beginning to wake up. For far too long The Netherlands have been the European capital of 'black-box style' electronic voting. It was time someone challenged Nedap, the leading manufacturer of unverifiable voting "machines" in Europe, in their own country. The talk very briefly describes the international situation with regard to electronic Voting, with emphasis on European history and events. It then describes the dutch campaign that was set up this year. I will talk about the results of the FOIA (IFG) requests we made, the results of our lobbying as well as highlight some of the media attention we got. We need help: I will also try to motivate you, the listener, to become active against unverifiable e-Voting in/on your own country, bundesland, weblog, city, province, university or wherever else you can. We can win this one. And we must: either democracy destroys black-box voting or it will eventually destroy democracy.

Authors: Rop GonggrijpTags: electionEvent: Chaos Communication Congress 23th (23C3) 2006Abstract: This talk covers the dutch campaign against unverifiable voting on computers, which is part of a growing movement world-wide to reject these computers. Successes in Ireland and (surprise) the US seem to indicate that media, law-makers and the general public are beginning to wake up. For far too long The Netherlands have been the European capital of 'black-box style' electronic voting. It was time someone challenged Nedap, the leading manufacturer of unverifiable voting "machines" in Europe, in their own country. The talk very briefly describes the international situation with regard to electronic Voting, with emphasis on European history and events. It then describes the dutch campaign that was set up this year. I will talk about the results of the FOIA (IFG) requests we made, the results of our lobbying as well as highlight some of the media attention we got. We need help: I will also try to motivate you, the listener, to become active against unverifiable e-Voting in/on your own country, bundesland, weblog, city, province, university or wherever else you can. We can win this one. And we must: either democracy destroys black-box voting or it will eventually destroy democracy.

Last week was the fifty year anniversary of the launching of Telstar 1, the first communications satellite. Take a look back at the marvel of the early technology as shown in this newsreel footage about the first broadcast. The first formal use was a speech by President Kennedy allowing most of Europe to “witness democracy [...]

Tags: scienceEvent: Chaos Communication Congress 25th (25C3) 2008Abstract: Soy is the magic ingredient that we often look to for our alternative, healthier, and more responsible diets. Yet the soy industry, with its boom in profits and global reach, behaves the exact opposite way. Genetically Modified, Resource Greedy, and Appearing at a Supermarket Near You The silent march of the multinational GMO soy industry and its growing power in South America, the EU, and around the World. For any of us in the last 20 years who have chosen to become vegetarians or just reduce the amount of meat that we eat, soy has long been our best friend. Soy, our good alternative food source friend which was our good source of protein and came in all kinds of shapes and forms, sometimes it even tasted like that old sausage or that filet mignon, only it was tofu. And that's how it has been for many alternative eaters, for a very long time, meat is bad, and hey – we've got soy as a healthy and not meat source of goodness. Meanwhile, by the time the late 90's rolled around, in the corridors of the European Commission, there was talk of a new kind of food crop, one that had been engineered to resist typical farming concerns like weeds and pests. Some even promised to reduce the amount of work required to grow it, saving farmers on labor costs. Experts and regular citizens around the world began to ask questions such as what would the long term effects be if people would consume this soy? What about the effects on agriculture if these types of crops are grown near regular soy? And from there.. more questions and frequently, few conclusive answers. One result was the EU's ban on GMO soy for human consumption. Yet despite this ban, GMO soy could be used for animal feed. Indeed by 2006, the European Union became the leading importer of soy, including GMO soy, from South America, 85% of which went towards livestock feeding. Livestock which eventually are consumed by humans. But the story is much larger than the EU and genetically modified food. Because with the growing scope and power of big soy agribusiness, nations like Brazil and Paraguay would experience a quiet soy revolution. A revolution that would bring an end to the way of life for many indigenous people, as well as destroy a significant amount of the amazon rain forest, all in the name of soy. While all this is going on, so to is the fair trade and alter-globalization movement of the late 1990's. Following in their tradition, throughout the 00's, activists from across Europe take matters into their own hands, in countries such as Portugal and Germany, physically going to GMO plantations and destroying the crops as an act of civil disobedience. This is but a snapshot of a very complex struggle that effects not only anyone who eats soy products, but all food. An issue that involves not only policy makers and farmers, but our collective future and public health. It has been called, the omnivore's dilemma, what some in the media feel is too complicated to report about. This is the story of our soy industry, whether we like it our not.

Authors: Kat BraybrookeTags: hackingEvent: Chaos Communication Camp 2011Abstract: In 2002, Ghosh et al released a study which found that in F/LOSS coder/hacker communities, only 1.5% of members were female. This participation-heavy session is about the challenges of immersive ethnographic research in a time of gender transformation. First, a bit about my background. My name is Kat Braybrooke, I'm a Canadian from Vancouver, and I am currently finishing my MSc thesis for University College London's Digital Anthropology program regarding the role of gender in FLOSS hacker and coder cultures. For this thesis (abstract at http://shehackers.kaibray.com), I engaged in a combination of phenomenological immersivity and informant relationship-building with over 30 hackers and coders (male and female) in hackspaces and recursive tech/'geek' cultures across Europe. When I started my research, I had specific assumptions about who I wanted to talk to and what I thought I'd find. However, through the process of engaging with the spaces and individuals involved in these communities, I have come to realize how incorrect these assumptions were - and I'm hoping these realizations can be of benefit future social scientists, anthropologist and media theorists studying recursive subcultures in periods of ultramodern transformation. This session is about group participation - discussion, debate, criticism and new ideas. I'm not here to tell you who you are. Instead, I want to learn what you, as Chaos Camp attendees, think of these sorts of academic studies of your own communities, and how you feel my methodology can be improved upon. While I'm a self-defined 'geek', I am the outsider here - so before I publish this research, I'd love to hear how my understandings can be improved.

Authors: Kat BraybrookeTags: hackingEvent: Chaos Communication Camp 2011Abstract: In 2002, Ghosh et al released a study which found that in F/LOSS coder/hacker communities, only 1.5% of members were female. This participation-heavy session is about the challenges of immersive ethnographic research in a time of gender transformation. First, a bit about my background. My name is Kat Braybrooke, I'm a Canadian from Vancouver, and I am currently finishing my MSc thesis for University College London's Digital Anthropology program regarding the role of gender in FLOSS hacker and coder cultures. For this thesis (abstract at http://shehackers.kaibray.com), I engaged in a combination of phenomenological immersivity and informant relationship-building with over 30 hackers and coders (male and female) in hackspaces and recursive tech/'geek' cultures across Europe. When I started my research, I had specific assumptions about who I wanted to talk to and what I thought I'd find. However, through the process of engaging with the spaces and individuals involved in these communities, I have come to realize how incorrect these assumptions were - and I'm hoping these realizations can be of benefit future social scientists, anthropologist and media theorists studying recursive subcultures in periods of ultramodern transformation. This session is about group participation - discussion, debate, criticism and new ideas. I'm not here to tell you who you are. Instead, I want to learn what you, as Chaos Camp attendees, think of these sorts of academic studies of your own communities, and how you feel my methodology can be improved upon. While I'm a self-defined 'geek', I am the outsider here - so before I publish this research, I'd love to hear how my understandings can be improved.

Authors: Lars WeilerTags: snifferEvent: Chaos Communication Congress 27th (27C3) 2010Abstract: Network traffic grows faster than monitoring and analysis tools can handle. During the last two years a couple of appliances hit the market which help in finding the “bits of interest”. Recently installed strategies and solutions for carriers, banks or lawful interception organizations will be discussed as examples. Quite every laptop nowadays is capable of handling Gigabit traffic. But doing a network analysis will hit the boundaries of CPU load quite quickly. Now, with 10GbE lines as the usual speed of carrier's and company's backbone, traffic monitoring and analysis became more and more painful. Even the biggest and most expensive analysis appliances on the market are barely capable of a real time traffic monitoring for more than 8Gbit/s. That's were a couple of vendors showed up and created devices which can handle multiple 10GbE lines at the same time. They call them “Active Distributed Traffic Capture Systems” or “Intelligent Data Access Networking Switches” – in short “Data Access Systems”. The primary use is for the aggregation and distribution of traffic. But all of the Data Access Systems are also capable of filtering traffic with the help of FPGA or CPLD techniques. So a carrier, bank or lawful interception organization can aggregate the data from many physical lines into one Data Access System, enter some filters with the help of a browser GUI, and distribute the resulting traffic to the analysis machines. It's easy to monitor 100 lines of 10GbE traffic. For competitive reasons, those vendors started to invent new features for a better or easier analysis of the data on the analysis devices. These include ingress port tagging, time stamping with nanosecond accuracy, slicing of packets and recalculation of checksums in realtime, blanking bits in packets, or even layer 7 filtering for e-mail and instant messenger addresses with full flow capturing. The interesting part for the usage is to create an infrastructure where even without data retention and a long term analysis specific users or just their communication with possible ”interesting“ data for intelligence agencies can be triggered and captured in real time. So, the process of the analysis can be quickened to quite no time. It's safe to say, that the flagship appliance by a vendor has been designed by request of US intelligence agencies. Of course, those devices have to be managed by administrators. For the ease of usage every vendor moved from a CLI based configuration interface to a shiny web GUI – with a couple of flaws. It is easy to break into the system or read out the configuration without access. This lecture will discuss the possibilities of today's data analysis with the help of these Data Access Systems. An overview of the features will help to understand that data analysis devices are not anymore the limiting factor in deep packet inspection of a huge amount of traffic. Examples will show what already has been set up and what is possible by companies and organizations – and which traffic they might monitor yet. During the last three years the speaker installed those appliances from different vendors at customers across Europe, gained deep knowledge of their usage, established a strong contact to the technicians and chief officers both at the vendors and customers side, and found out a lot about the hardware and software by reverse engineering.

Authors: Lars WeilerTags: snifferEvent: Chaos Communication Congress 27th (27C3) 2010Abstract: Network traffic grows faster than monitoring and analysis tools can handle. During the last two years a couple of appliances hit the market which help in finding the “bits of interest”. Recently installed strategies and solutions for carriers, banks or lawful interception organizations will be discussed as examples. Quite every laptop nowadays is capable of handling Gigabit traffic. But doing a network analysis will hit the boundaries of CPU load quite quickly. Now, with 10GbE lines as the usual speed of carrier's and company's backbone, traffic monitoring and analysis became more and more painful. Even the biggest and most expensive analysis appliances on the market are barely capable of a real time traffic monitoring for more than 8Gbit/s. That's were a couple of vendors showed up and created devices which can handle multiple 10GbE lines at the same time. They call them “Active Distributed Traffic Capture Systems” or “Intelligent Data Access Networking Switches” – in short “Data Access Systems”. The primary use is for the aggregation and distribution of traffic. But all of the Data Access Systems are also capable of filtering traffic with the help of FPGA or CPLD techniques. So a carrier, bank or lawful interception organization can aggregate the data from many physical lines into one Data Access System, enter some filters with the help of a browser GUI, and distribute the resulting traffic to the analysis machines. It's easy to monitor 100 lines of 10GbE traffic. For competitive reasons, those vendors started to invent new features for a better or easier analysis of the data on the analysis devices. These include ingress port tagging, time stamping with nanosecond accuracy, slicing of packets and recalculation of checksums in realtime, blanking bits in packets, or even layer 7 filtering for e-mail and instant messenger addresses with full flow capturing. The interesting part for the usage is to create an infrastructure where even without data retention and a long term analysis specific users or just their communication with possible ”interesting“ data for intelligence agencies can be triggered and captured in real time. So, the process of the analysis can be quickened to quite no time. It's safe to say, that the flagship appliance by a vendor has been designed by request of US intelligence agencies. Of course, those devices have to be managed by administrators. For the ease of usage every vendor moved from a CLI based configuration interface to a shiny web GUI – with a couple of flaws. It is easy to break into the system or read out the configuration without access. This lecture will discuss the possibilities of today's data analysis with the help of these Data Access Systems. An overview of the features will help to understand that data analysis devices are not anymore the limiting factor in deep packet inspection of a huge amount of traffic. Examples will show what already has been set up and what is possible by companies and organizations – and which traffic they might monitor yet. During the last three years the speaker installed those appliances from different vendors at customers across Europe, gained deep knowledge of their usage, established a strong contact to the technicians and chief officers both at the vendors and customers side, and found out a lot about the hardware and software by reverse engineering.

Authors: Lars WeilerTags: snifferEvent: Chaos Communication Congress 27th (27C3) 2010Abstract: Network traffic grows faster than monitoring and analysis tools can handle. During the last two years a couple of appliances hit the market which help in finding the “bits of interest”. Recently installed strategies and solutions for carriers, banks or lawful interception organizations will be discussed as examples. Quite every laptop nowadays is capable of handling Gigabit traffic. But doing a network analysis will hit the boundaries of CPU load quite quickly. Now, with 10GbE lines as the usual speed of carrier's and company's backbone, traffic monitoring and analysis became more and more painful. Even the biggest and most expensive analysis appliances on the market are barely capable of a real time traffic monitoring for more than 8Gbit/s. That's were a couple of vendors showed up and created devices which can handle multiple 10GbE lines at the same time. They call them “Active Distributed Traffic Capture Systems” or “Intelligent Data Access Networking Switches” – in short “Data Access Systems”. The primary use is for the aggregation and distribution of traffic. But all of the Data Access Systems are also capable of filtering traffic with the help of FPGA or CPLD techniques. So a carrier, bank or lawful interception organization can aggregate the data from many physical lines into one Data Access System, enter some filters with the help of a browser GUI, and distribute the resulting traffic to the analysis machines. It's easy to monitor 100 lines of 10GbE traffic. For competitive reasons, those vendors started to invent new features for a better or easier analysis of the data on the analysis devices. These include ingress port tagging, time stamping with nanosecond accuracy, slicing of packets and recalculation of checksums in realtime, blanking bits in packets, or even layer 7 filtering for e-mail and instant messenger addresses with full flow capturing. The interesting part for the usage is to create an infrastructure where even without data retention and a long term analysis specific users or just their communication with possible ”interesting“ data for intelligence agencies can be triggered and captured in real time. So, the process of the analysis can be quickened to quite no time. It's safe to say, that the flagship appliance by a vendor has been designed by request of US intelligence agencies. Of course, those devices have to be managed by administrators. For the ease of usage every vendor moved from a CLI based configuration interface to a shiny web GUI – with a couple of flaws. It is easy to break into the system or read out the configuration without access. This lecture will discuss the possibilities of today's data analysis with the help of these Data Access Systems. An overview of the features will help to understand that data analysis devices are not anymore the limiting factor in deep packet inspection of a huge amount of traffic. Examples will show what already has been set up and what is possible by companies and organizations – and which traffic they might monitor yet. During the last three years the speaker installed those appliances from different vendors at customers across Europe, gained deep knowledge of their usage, established a strong contact to the technicians and chief officers both at the vendors and customers side, and found out a lot about the hardware and software by reverse engineering.

Authors: Steven J. MurdochTags: banksmart cardEvent: Chaos Communication Congress 27th (27C3) 2010Abstract: EMV is the dominant protocol used for smart card payments worldwide, with over 730 million cards in circulation. Known to bank customers as “Chip and PIN”, it is used in Europe; it is being introduced in Canada; and there is pressure from banks to introduce it in the USA too. EMV secures credit and debit card transactions by authenticating both the card and the customer presenting it through a combination of cryptographic authentication codes, digital signatures, and the entry of a PIN. In this paper we describe and demonstrate a protocol flaw which allows criminals to use a genuine card to make a payment without knowing the card’s PIN, and to remain undetected even when the merchant has an online connection to the banking network. The fraudster performs a man-in-the-middle attack to trick the terminal into believing the PIN verified correctly, while telling the issuing bank that no PIN was entered at all. The paper considers how the flaws arose, why they remained unknown despite EMV’s wide deployment for the best part of a decade, and how they might be fixed. Because we have found and validated a practical attack against the core functionality of EMV, we conclude that the protocol is broken. This failure is significant in the field of protocol design, and also has important public policy implications, in light of growing reports of fraud on stolen EMV cards. Frequently, banks deny such fraud victims a refund, asserting that a card cannot be used without the correct PIN, and concluding that the customer must be grossly negligent or lying. Our attack can explain a number of these cases, and exposes the need for further research to bridge the gap between the theoretical and practical security of bank payment systems. Smart cards have gradually replaced magnetic strip cards for point-of-sale and ATM transactions in many countries. The leading system, EMV (named after Europay, MasterCard, and Visa), has been deployed throughout most of Europe, and is currently being rolled out in Canada. As of early 2008, there were over 730 million EMV compliant smart cards in circulation worldwide. In EMV, customers authorize a credit or debit card transaction by inserting their card and entering a PIN into a point-of-sale terminal; the PIN is typically verified by the smart card chip, which is in turn authenticated to the terminal by a digital certificate. The transaction details are also authenticated by a cryptographic message authentication code (MAC), using a symmetric key shared between the payment card and the bank that issued the card to the customer (the issuer). EMV was heavily promoted under the “Chip and PIN” brand during its national rollout in the UK. The technology was advertised as a solution to increasing card fraud: a chip to prevent card counterfeiting, and a PIN to prevent abuse of stolen cards. Since its introduction in the UK the fraud landscape has changed significantly: lost and stolen card fraud is down, and counterfeit card fraud experienced a two year lull. But no type of fraud has been eliminated, and the overall fraud levels have actually risen (see Figure 1). The likely explanation for this is that EMV has simply moved fraud, not eliminated it. One goal of EMV was to externalise the costs of dispute from the issuing bank, in that if a disputed transaction has been authorised by a manuscript signature, it would be charged to the merchant, while if it had been authorised by a PIN then it would be charged to the customer. The net effect is that the banking industry, which was responsible for the design of the system, carries less liability for the fraud. The industry describes this as a ‘liability shift’. In the past few years, the UK media have reported numerous cases where cardholders’ complaints have been rejected by their bank and by government-approved mediators such as the Financial Ombudsman Service, using stock excuses such as ‘Your card was CHIP read and a PIN was used so you must have been negligent.’ Interestingly, an increasing number of complaints from believable witnesses indicate that their EMV cards were fraudulently used shortly after being stolen, despite there having been no possibility that the thief could have learned the PIN. In this paper, we describe a potential explanation. We have demonstrated how criminals can use stolen “Chip and PIN” (EMV) smart cards without knowing the PIN. Since “verified by PIN” – the essence of the system – does not work, we declare the Chip and PIN system to be broken.

Authors: Katarzyna SzymielewiczPatrick BreyerRalf BendrathTags: lawprivacyEvent: Chaos Communication Congress 27th (27C3) 2010Abstract: 2011 will again be a crucial year in the battle against data retention and blanket surveillance. The EU Commission is planning to publish its review of the directive in December (right in time before 27C3), and the lobbying and PR battle has already begun. In six months from now, we will see the legislative proposal from the EU commission for the revision of data retention. The talk will give a full picture of the legal state of play, what is going on in Brussels, what is already being done and of course where you can help. The speakers are closely involved in the process on the European and national level. In December 2005, the European Parliament agreed to the data retention directive that introduced mandatory retention of the telecommunications behaviour of half a billion EU citizens and residents. That was a huge disappointment and perceived by many as the final opening of the floodgates. Frank Rieger and Rop Gongrijp at 22C3 even declared that "we lost the war" over privacy. But things turned out different than expected. Now, five years later, a new privacy movement has risen in Germany and elsewhere, a number of constitutional courts all across Europe have declared national data retention laws illegal, a case against the whole directive is pending at the European Court of Justice, and the EU has a justice commissioner who openly said that she would not have suggested the whole thing in the first place, and a home affairs commissioner who voted against the directive when she was still a Member of Parliament. The talk will give a full picture of the legal state of play, what is going on in Brussels, what is already being done and of course where you can help. The speakers are all active in European Digital Rights (EDRi.org) and are closely involved in the process on the European and national level.

Authors: Katarzyna SzymielewiczPatrick BreyerRalf BendrathTags: lawprivacyEvent: Chaos Communication Congress 27th (27C3) 2010Abstract: 2011 will again be a crucial year in the battle against data retention and blanket surveillance. The EU Commission is planning to publish its review of the directive in December (right in time before 27C3), and the lobbying and PR battle has already begun. In six months from now, we will see the legislative proposal from the EU commission for the revision of data retention. The talk will give a full picture of the legal state of play, what is going on in Brussels, what is already being done and of course where you can help. The speakers are closely involved in the process on the European and national level. In December 2005, the European Parliament agreed to the data retention directive that introduced mandatory retention of the telecommunications behaviour of half a billion EU citizens and residents. That was a huge disappointment and perceived by many as the final opening of the floodgates. Frank Rieger and Rop Gongrijp at 22C3 even declared that "we lost the war" over privacy. But things turned out different than expected. Now, five years later, a new privacy movement has risen in Germany and elsewhere, a number of constitutional courts all across Europe have declared national data retention laws illegal, a case against the whole directive is pending at the European Court of Justice, and the EU has a justice commissioner who openly said that she would not have suggested the whole thing in the first place, and a home affairs commissioner who voted against the directive when she was still a Member of Parliament. The talk will give a full picture of the legal state of play, what is going on in Brussels, what is already being done and of course where you can help. The speakers are all active in European Digital Rights (EDRi.org) and are closely involved in the process on the European and national level.

Authors: Robert SpantonTags: roboticsEvent: Chaos Communication Congress 27th (27C3) 2010Abstract: Today, hacking is reserved for the microscopic fraction of the population who manage to shake themselves free of the suppressive education regime. Student Robotics is the beginning of the solution. By fostering creativity through competition to solve engineering challenges, we provide the inspiration society desperately needs. We develop an open platform for robotics and provide it to schools to open students' minds to the world of hacking. Student Robotics pushes engineering into schools by running a robotics competition between 16 to 18 year-olds. We send university students into schools to mentor the participating teams. The organisation is run entirely by students, who also develop the hardware and software for the participants to use. Student Robotics involves a whole range of software and hardware development, including including microcontroller programming, computer vision, and web-apps. This year we've started shipping the BeagleBoard as the robot's main computing device, providing us with a lot of scope for future hacking. In this talk I will: Discuss the motivation behind Student Robotics Provide a technical overview our current hardware and software Discuss the future of Student Robotics in Europe Hey Teacher. Leave them hackers alone.

Authors: Robert SpantonTags: roboticsEvent: Chaos Communication Congress 27th (27C3) 2010Abstract: Today, hacking is reserved for the microscopic fraction of the population who manage to shake themselves free of the suppressive education regime. Student Robotics is the beginning of the solution. By fostering creativity through competition to solve engineering challenges, we provide the inspiration society desperately needs. We develop an open platform for robotics and provide it to schools to open students' minds to the world of hacking. Student Robotics pushes engineering into schools by running a robotics competition between 16 to 18 year-olds. We send university students into schools to mentor the participating teams. The organisation is run entirely by students, who also develop the hardware and software for the participants to use. Student Robotics involves a whole range of software and hardware development, including including microcontroller programming, computer vision, and web-apps. This year we've started shipping the BeagleBoard as the robot's main computing device, providing us with a lot of scope for future hacking. In this talk I will: Discuss the motivation behind Student Robotics Provide a technical overview our current hardware and software Discuss the future of Student Robotics in Europe Hey Teacher. Leave them hackers alone.

Authors: Robert SpantonTags: roboticsEvent: Chaos Communication Congress 27th (27C3) 2010Abstract: Today, hacking is reserved for the microscopic fraction of the population who manage to shake themselves free of the suppressive education regime. Student Robotics is the beginning of the solution. By fostering creativity through competition to solve engineering challenges, we provide the inspiration society desperately needs. We develop an open platform for robotics and provide it to schools to open students' minds to the world of hacking. Student Robotics pushes engineering into schools by running a robotics competition between 16 to 18 year-olds. We send university students into schools to mentor the participating teams. The organisation is run entirely by students, who also develop the hardware and software for the participants to use. Student Robotics involves a whole range of software and hardware development, including including microcontroller programming, computer vision, and web-apps. This year we've started shipping the BeagleBoard as the robot's main computing device, providing us with a lot of scope for future hacking. In this talk I will: Discuss the motivation behind Student Robotics Provide a technical overview our current hardware and software Discuss the future of Student Robotics in Europe Hey Teacher. Leave them hackers alone.

Authors: Jérémie ZimmermannTags: lawEvent: Chaos Communication Congress 27th (27C3) 2010Abstract: ACTA, upcoming criminal enforcement directive, filtering of content... The entertainment industries go further and further into their crusade against sharing. They not only attack our fundamental freedoms, but also the very essence of the Internet. This session is a panorama of the current and upcoming battles, campaigns and actions. Everyone can help defeat the motherf#§$ers! The crusade against sharing the entertainment industries are waging against their customers is taking new directions. Their obsession to apply models from the past to today's technologies leads these industries to turn copyright against their customers. Direct consequences would be damages to freedom of expression, privacy and the right to a fair trial, that would greatly serve the will of some politicians to control the Internet. A number of extremely disturbing trends and upcoming legislative projects will be detailed in this session: ACTA. The "Anti-Counterfeiting Trade Agreement" is the flagship of the entertainment industries. It is a prototype of how to impose legislation while circumventing democratic process and public opinions. ACTA contains most of what the industries are dreaming about. By putting legal and monetary pressure over Internet technical intermediates, ACTA would force them to act as private copyright police and justice of the Net. IPRED2. The criminal enforcement directive was frozen in the Council of EU in 2006. It is about to be revived under the direction of the French commissioner Michel Barnier. It may contain sanctions for "inciting, aiding and abetting" infringement, which would blur the line between copyright infringement and political speech or the production of software and on-line services. "voluntary agreements", "extra-judicial measures", and "cooperation between rights-holders and Internet service providers" sound harmless, but they represent a growing trend in trying to force the ISPs into policing, through contracts, their networks and users. ISPs would be forced to use access restrictions ("three strikes") or even content filtering. Revision of the e-Commerce directive. The movie and music industries will use this occasion to attack the exoneration of liability for technical intermediates of the Net, with potential consequences on freedom of speech. Filtering of the Net. In the name of protecting the children or gamblers, it is being deployed all over Europe. These first steps will allow to further expand filtering mechanisms for the purpose of copyright enforcement, under influence the entertainment industries. How those policies are put in place? What can a citizen do in order to help counter them? How can we better organize to gain momentum in protecting fundamental freedoms in the digital environment? What were the successful campaigns so far, and what will be the upcoming ones?

Authors: Jérémie ZimmermannTags: lawEvent: Chaos Communication Congress 27th (27C3) 2010Abstract: ACTA, upcoming criminal enforcement directive, filtering of content... The entertainment industries go further and further into their crusade against sharing. They not only attack our fundamental freedoms, but also the very essence of the Internet. This session is a panorama of the current and upcoming battles, campaigns and actions. Everyone can help defeat the motherf#§$ers! The crusade against sharing the entertainment industries are waging against their customers is taking new directions. Their obsession to apply models from the past to today's technologies leads these industries to turn copyright against their customers. Direct consequences would be damages to freedom of expression, privacy and the right to a fair trial, that would greatly serve the will of some politicians to control the Internet. A number of extremely disturbing trends and upcoming legislative projects will be detailed in this session: ACTA. The "Anti-Counterfeiting Trade Agreement" is the flagship of the entertainment industries. It is a prototype of how to impose legislation while circumventing democratic process and public opinions. ACTA contains most of what the industries are dreaming about. By putting legal and monetary pressure over Internet technical intermediates, ACTA would force them to act as private copyright police and justice of the Net. IPRED2. The criminal enforcement directive was frozen in the Council of EU in 2006. It is about to be revived under the direction of the French commissioner Michel Barnier. It may contain sanctions for "inciting, aiding and abetting" infringement, which would blur the line between copyright infringement and political speech or the production of software and on-line services. "voluntary agreements", "extra-judicial measures", and "cooperation between rights-holders and Internet service providers" sound harmless, but they represent a growing trend in trying to force the ISPs into policing, through contracts, their networks and users. ISPs would be forced to use access restrictions ("three strikes") or even content filtering. Revision of the e-Commerce directive. The movie and music industries will use this occasion to attack the exoneration of liability for technical intermediates of the Net, with potential consequences on freedom of speech. Filtering of the Net. In the name of protecting the children or gamblers, it is being deployed all over Europe. These first steps will allow to further expand filtering mechanisms for the purpose of copyright enforcement, under influence the entertainment industries. How those policies are put in place? What can a citizen do in order to help counter them? How can we better organize to gain momentum in protecting fundamental freedoms in the digital environment? What were the successful campaigns so far, and what will be the upcoming ones?

Authors: Robin UptonTags: socialEvent: Chaos Communication Congress 28th (28C3) 2011Abstract: This whistlestop re-telling of world economic history squeezes 12,000 years of history into 18 slides. Its focus is the changing nature of money and the rise of the monied class in US and Europe. It outlines how the modern system of banking was instituted, how international organising allowed the power of the rich to gradually eclipse that of national governments, how war was managed for profit, and how the super-rich set about using the organs of the state in an effort to secure their position of control.

Authors: Robin UptonTags: socialEvent: Chaos Communication Congress 28th (28C3) 2011Abstract: This whistlestop re-telling of world economic history squeezes 12,000 years of history into 18 slides. Its focus is the changing nature of money and the rise of the monied class in US and Europe. It outlines how the modern system of banking was instituted, how international organising allowed the power of the rich to gradually eclipse that of national governments, how war was managed for profit, and how the super-rich set about using the organs of the state in an effort to secure their position of control.

Authors: Robin UptonTags: socialEvent: Chaos Communication Congress 28th (28C3) 2011Abstract: This whistlestop re-telling of world economic history squeezes 12,000 years of history into 18 slides. Its focus is the changing nature of money and the rise of the monied class in US and Europe. It outlines how the modern system of banking was instituted, how international organising allowed the power of the rich to gradually eclipse that of national governments, how war was managed for profit, and how the super-rich set about using the organs of the state in an effort to secure their position of control.

Tags: privacyEvent: Chaos Communication Congress 28th (28C3) 2011Abstract: We are members of Alternatif Bilişim Derneği (Alternative Informatics Association)**, one of many organizations that oppose the ongoing efforts for state-controlled Internet in Turkey. We see that the problems with media control in Turkey and in Europe are increasingly becoming part of a global problem. The governments are working on their own view of a 'secure' Internet, and we have to articulate and suggest an alternative. In our talk we want to give an account of our anti-censorship movement and the challenges we face in Turkey. We will first provide an overview of the political events; sanctions, censorship regulations and attempts of resistance in the country. Then, we will point out the main problems we face in making use of laws and technology against state control. We would also like to use our presentation as an opportunity to meet people at the CCC with similar affinities and to learn from their experience. We see a great need to create global networks and communities to articulate an alternative message; the Internet as the peoples’ media. Ali Rıza Keleş* arkeles@alternatifbilisim.org Ayşe Kaymak aysakaymak@gmail.com Işık Barış Fidaner fidaner@gmail.com Seda Gürses sguerses@esat.kuleuven.be We are members of Alternatif Bilişim Derneği (Alternative Informatics Association)**, one of many organizations that oppose the ongoing efforts for state-controlled Internet in Turkey. We see that the problems with media control in Turkey and in Europe are increasingly becoming part of a global problem. The governments are working on their own view of a 'secure' Internet, and we have to articulate and suggest an alternative. In our talk we want to give an account of our anti-censorship movement and the challenges we face in Turkey. We will first provide an overview of the political events; sanctions, censorship regulations and attempts of resistance in the country. Then, we will point out the main problems we face in making use of laws and technology against state control. We would also like to use our presentation as an opportunity to meet people at the CCC with similar affinities and to learn from their experience. We see a great need to create global networks and communities to articulate an alternative message; the Internet as the peoples’ media. A short history Despite its growing economy, democracy and fundamental rights have always been disputed in Turkey, where the shadow of the 1980 coup and still unresolved Kurdish problem is strongly felt, with the state persistently denying Kurdish citizens’ rights and repressing real political opposition to canalize the people’s consent to the authorized ‘official’ parties in the parliament. The coup in 1980 was mainly used to implement liberal policies, and this process is near completion: most state enterprises have been privatized in the last decade, including Türk Telekom, the phone company and the single ISP that owns the ADSL infrastructure in Turkey. In the same decade, the Internet use became widespread. Yet, the increasing popularity of the Internet has been accompanied by attempts to control it through criminal sanctions. Until 2007, tens of thousands of websites had been blocked by courts as ‘precaution’, including sites like Wordpress and YouTube. After the Law 5651 in 2007, even more websites were censored directly by government administration. As a response to this law, Sansüre Karşı Platform (Platform Against Censorship) was organized. In the first anti-censorship rally in 17 July 2010, nearly 3000 people participated, including Internet youth, political parties, trade unions, etc. Not long after the events in Tunisia and Egypt; the state institution for telecommunication, Bilgi Teknolojileri ve İletişim Kurumu (BTK) made a decision to force ISPs to provide unpaid Internet filters under the headings 'children', 'family' etc. This move created an enormous reaction, the culmination of which led to a nationwide Internet freedom rally in 15 May 2011 that took place in tens of cities. Alone in Istanbul 60 thousand people marched against the imposed censorship measures. What followed was a smearing campaign by controlled media (including state TV) against the protesters, and a pseudo-governance meeting with NGOs by BTK. After the general elections in June, the war with PKK escalated, suppressing the BTK decision out of media attention. Currently, DNS or IP blocking is used mostly for 'obscene' and in some cases for political websites. National security has always functioned as an excuse for the Turkish state to introduce exceptions to a rule or to make the exception the rule itself. An example is 'Ulusal Kripto Yönetmeliği' (National Crypto By-law) that was put in order in 2010. This by-law necessitates ‘official authorization’ for any encrypted communication by any citizen, and also requires the citizens to give away their encryption mechanisms and private keys to BTK for ‘storage’. In conclusion, we have reasons to believe that the government is currently developing infrastructure to utilize methods like deep packet inspection (DPI) as weapons in a 'cyberwar', possibly against its own people. These methods will include monitoring and labeling of Internet users as well as blocking communication. We made use of our 'right to information' to inquire about the plans for employing DPI, but were ‘informed’ that this is 'beyond the limits our right to information'. Problems in using laws & technology against state control The greatest problems with respect to guaranteeing fundamental rights in technology deployment and use currently are with how laws are made and how they are enforced. The lawmaking process is exclusionist, only including a few NGOs that can better be called QUANGOs (quasi-autonomous non-governmental organizations). There are several political parties and trade unions, but even their peaceful protests are occasionally declared ‘unauthorized’ and considered illegal. People in general do not trust the judiciary system, but are simply unorganized and do not believe in their power. The regime bases its legitimacy on ideology and not on lawful justice. Türk Telekom (TT), privatized in 2005, monopolizes the ADSL infrastructure, making Internet services expensive and prone to state control. In 2007, a workers' strike in TT had triggered debates on this monopoly being protected by the government. The company also acts as a service provider in several domains, creating questions about net neutrality. Another problem is with the limitation of how people can relate to technology. Computers, cellphones and other gadgets are aggressively marketed and widely used throughout the country, but the marketed forms of use mostly remain superficial, e.g., these gadgets are depicted as entertainment or as status symbols. We argue that the hegemony of these consumerist cultural connotations do hamper diverse uses of these products for a variety of motivations. A small community of Linux promoters have emerged around universities. These groups could promote alternative approaches to technology. However, under the usual political fears, they only articulate their positions professionally. Their statements usually target Microsoft or other big proprietary software companies. This position is compatible with the officially accepted national pride and national security positions in Turkey, and hence is limited to politics of technology only (see Pardus project). Leftist and Kurdish political organizations are in a position to benefit most from digital communication technologies. However, they still lack the capacity and enthusiasm to use it effectively. Alternative political media initiatives online exist, but they are mostly limited to standard uses and their technical quality reflect the lack of developers in the political community. In Turkey, engineering education is praised and supported by families. Families make up for the lack of a financially strong social system. The society in general also praises technical knowledge. However, a strong barrier separates the 'educated people' who are supposed to know it, from 'regular people' who are only supposed to consume it. Under economic pressure and feeling indebted to their families, most white collar workers dedicate themselves to their work in private companies. There is some space in some universities for shared work and creativity, but such spaces are getting smaller as most universities are being turned into technical schools. Ali Rıza Keleş, Işık Barış Fidaner are software developers, Ayşe Kaymak is a lawyer from Istanbul. Seda Gürses is an Internet researcher from Brussels. ** Alternatif Bilişim is a social network that includes users, developers and researchers of digital technologies, studying and practicing alternative uses of technology. Ultimately, our objective is to diminish the alienation of people to technical knowledge.

Tags: privacyEvent: Chaos Communication Congress 28th (28C3) 2011Abstract: We are members of Alternatif Bilişim Derneği (Alternative Informatics Association)**, one of many organizations that oppose the ongoing efforts for state-controlled Internet in Turkey. We see that the problems with media control in Turkey and in Europe are increasingly becoming part of a global problem. The governments are working on their own view of a 'secure' Internet, and we have to articulate and suggest an alternative. In our talk we want to give an account of our anti-censorship movement and the challenges we face in Turkey. We will first provide an overview of the political events; sanctions, censorship regulations and attempts of resistance in the country. Then, we will point out the main problems we face in making use of laws and technology against state control. We would also like to use our presentation as an opportunity to meet people at the CCC with similar affinities and to learn from their experience. We see a great need to create global networks and communities to articulate an alternative message; the Internet as the peoples’ media. Ali Rıza Keleş* arkeles@alternatifbilisim.org Ayşe Kaymak aysakaymak@gmail.com Işık Barış Fidaner fidaner@gmail.com Seda Gürses sguerses@esat.kuleuven.be We are members of Alternatif Bilişim Derneği (Alternative Informatics Association)**, one of many organizations that oppose the ongoing efforts for state-controlled Internet in Turkey. We see that the problems with media control in Turkey and in Europe are increasingly becoming part of a global problem. The governments are working on their own view of a 'secure' Internet, and we have to articulate and suggest an alternative. In our talk we want to give an account of our anti-censorship movement and the challenges we face in Turkey. We will first provide an overview of the political events; sanctions, censorship regulations and attempts of resistance in the country. Then, we will point out the main problems we face in making use of laws and technology against state control. We would also like to use our presentation as an opportunity to meet people at the CCC with similar affinities and to learn from their experience. We see a great need to create global networks and communities to articulate an alternative message; the Internet as the peoples’ media. A short history Despite its growing economy, democracy and fundamental rights have always been disputed in Turkey, where the shadow of the 1980 coup and still unresolved Kurdish problem is strongly felt, with the state persistently denying Kurdish citizens’ rights and repressing real political opposition to canalize the people’s consent to the authorized ‘official’ parties in the parliament. The coup in 1980 was mainly used to implement liberal policies, and this process is near completion: most state enterprises have been privatized in the last decade, including Türk Telekom, the phone company and the single ISP that owns the ADSL infrastructure in Turkey. In the same decade, the Internet use became widespread. Yet, the increasing popularity of the Internet has been accompanied by attempts to control it through criminal sanctions. Until 2007, tens of thousands of websites had been blocked by courts as ‘precaution’, including sites like Wordpress and YouTube. After the Law 5651 in 2007, even more websites were censored directly by government administration. As a response to this law, Sansüre Karşı Platform (Platform Against Censorship) was organized. In the first anti-censorship rally in 17 July 2010, nearly 3000 people participated, including Internet youth, political parties, trade unions, etc. Not long after the events in Tunisia and Egypt; the state institution for telecommunication, Bilgi Teknolojileri ve İletişim Kurumu (BTK) made a decision to force ISPs to provide unpaid Internet filters under the headings 'children', 'family' etc. This move created an enormous reaction, the culmination of which led to a nationwide Internet freedom rally in 15 May 2011 that took place in tens of cities. Alone in Istanbul 60 thousand people marched against the imposed censorship measures. What followed was a smearing campaign by controlled media (including state TV) against the protesters, and a pseudo-governance meeting with NGOs by BTK. After the general elections in June, the war with PKK escalated, suppressing the BTK decision out of media attention. Currently, DNS or IP blocking is used mostly for 'obscene' and in some cases for political websites. National security has always functioned as an excuse for the Turkish state to introduce exceptions to a rule or to make the exception the rule itself. An example is 'Ulusal Kripto Yönetmeliği' (National Crypto By-law) that was put in order in 2010. This by-law necessitates ‘official authorization’ for any encrypted communication by any citizen, and also requires the citizens to give away their encryption mechanisms and private keys to BTK for ‘storage’. In conclusion, we have reasons to believe that the government is currently developing infrastructure to utilize methods like deep packet inspection (DPI) as weapons in a 'cyberwar', possibly against its own people. These methods will include monitoring and labeling of Internet users as well as blocking communication. We made use of our 'right to information' to inquire about the plans for employing DPI, but were ‘informed’ that this is 'beyond the limits our right to information'. Problems in using laws & technology against state control The greatest problems with respect to guaranteeing fundamental rights in technology deployment and use currently are with how laws are made and how they are enforced. The lawmaking process is exclusionist, only including a few NGOs that can better be called QUANGOs (quasi-autonomous non-governmental organizations). There are several political parties and trade unions, but even their peaceful protests are occasionally declared ‘unauthorized’ and considered illegal. People in general do not trust the judiciary system, but are simply unorganized and do not believe in their power. The regime bases its legitimacy on ideology and not on lawful justice. Türk Telekom (TT), privatized in 2005, monopolizes the ADSL infrastructure, making Internet services expensive and prone to state control. In 2007, a workers' strike in TT had triggered debates on this monopoly being protected by the government. The company also acts as a service provider in several domains, creating questions about net neutrality. Another problem is with the limitation of how people can relate to technology. Computers, cellphones and other gadgets are aggressively marketed and widely used throughout the country, but the marketed forms of use mostly remain superficial, e.g., these gadgets are depicted as entertainment or as status symbols. We argue that the hegemony of these consumerist cultural connotations do hamper diverse uses of these products for a variety of motivations. A small community of Linux promoters have emerged around universities. These groups could promote alternative approaches to technology. However, under the usual political fears, they only articulate their positions professionally. Their statements usually target Microsoft or other big proprietary software companies. This position is compatible with the officially accepted national pride and national security positions in Turkey, and hence is limited to politics of technology only (see Pardus project). Leftist and Kurdish political organizations are in a position to benefit most from digital communication technologies. However, they still lack the capacity and enthusiasm to use it effectively. Alternative political media initiatives online exist, but they are mostly limited to standard uses and their technical quality reflect the lack of developers in the political community. In Turkey, engineering education is praised and supported by families. Families make up for the lack of a financially strong social system. The society in general also praises technical knowledge. However, a strong barrier separates the 'educated people' who are supposed to know it, from 'regular people' who are only supposed to consume it. Under economic pressure and feeling indebted to their families, most white collar workers dedicate themselves to their work in private companies. There is some space in some universities for shared work and creativity, but such spaces are getting smaller as most universities are being turned into technical schools. Ali Rıza Keleş, Işık Barış Fidaner are software developers, Ayşe Kaymak is a lawyer from Istanbul. Seda Gürses is an Internet researcher from Brussels. ** Alternatif Bilişim is a social network that includes users, developers and researchers of digital technologies, studying and practicing alternative uses of technology. Ultimately, our objective is to diminish the alienation of people to technical knowledge.

The Call for Papers for the third annual HITBSecConf in Europe is now open. Taking place from the 21st through the 25th of May at the Okura Hotel in Amsterdam, it will be a quad-track conference featuring keynote speakers Andy Ellis (Chief Security Officer, Akamai) and Bruce Schneier (Chief Security Technology Officer, BT).

The Call for Papers for the third annual HITBSecConf in Europe is now open. Taking place from the 21st through the 25th of May at the Okura Hotel in Amsterdam, it will be a quad-track conference featuring keynote speakers Andy Ellis (Chief Security Officer, Akamai) and Bruce Schneier (Chief Security Technology Officer, BT).

If you have ever traveled around Europe, you are likely familiar with parking discs. Required in many countries that would rather not deal with parking meters, these devices are placed in the front of a car’s window, and indicate when the vehicle was parked. When parking enforcement officers come through the area, it makes quick [...]

Authors: Daniel MendeEnno ReyTags: networkroutingexploitingEvent: Black Hat USA 2010Abstract: I personally remember the release of Yersinia at Black Hat Europe 2005. It was a ground breaking experience: a number of Layer 2 attacks regarded purely theoretical until then, was suddenly available in a mostly automated way. And those guys even showed some forays completely unbeknownst to me at the time. We plan to do the same in Vegas, with a new tool called Loki (after the giant from Norse mythology associated with cunning, trickery and evil). It's a Python based framework implementing many packet generation and attack modules for Layer 3 protocols, including BGP, LDP, OSPF, VRRP and quite a few others. After outlining Loki's inner architecture we'll give insight into several modules and discuss some particularly interesting attacks in the routing protocol space (e.g. cracking OSPF MD5 keys, injection of routes into OSPF and EIGRP environments etc.). Furthermore we'll describe vulnerabilities in lesser known protocols like VRRP. Every attack we mention will be shown in a practical demo and - of course - Loki will be released right after our talk.

Authors: Daniel MendeEnno ReyTags: networkroutingexploitingEvent: Black Hat USA 2010Abstract: I personally remember the release of Yersinia at Black Hat Europe 2005. It was a ground breaking experience: a number of Layer 2 attacks regarded purely theoretical until then, was suddenly available in a mostly automated way. And those guys even showed some forays completely unbeknownst to me at the time. We plan to do the same in Vegas, with a new tool called Loki (after the giant from Norse mythology associated with cunning, trickery and evil). It's a Python based framework implementing many packet generation and attack modules for Layer 3 protocols, including BGP, LDP, OSPF, VRRP and quite a few others. After outlining Loki's inner architecture we'll give insight into several modules and discuss some particularly interesting attacks in the routing protocol space (e.g. cracking OSPF MD5 keys, injection of routes into OSPF and EIGRP environments etc.). Furthermore we'll describe vulnerabilities in lesser known protocols like VRRP. Every attack we mention will be shown in a practical demo and - of course - Loki will be released right after our talk.

Rooted CON 2012 Call For Papers - Rooted CON is a security congress which will be held in Madrid (Spain) from March 1st through the 3rd, 2012. With an estimated capacity around 650 people, it is one of the biggest specialized congresses in Spain and one of the biggest in Europe. Having very different kinds of attendants going from students, police and government specialists, security professionals or just technology enthusiasts.

Rooted CON 2012 Call For Papers - Rooted CON is a security congress which will be held in Madrid (Spain) from March 1st through the 3rd, 2012. With an estimated capacity around 650 people, it is one of the biggest specialized congresses in Spain and one of the biggest in Europe. Having very different kinds of attendants going from students, police and government specialists, security professionals or just technology enthusiasts.

LG released a line of Internet-connected TVs in both the US and Europe that utilize Yahoo TV widgets to bring interactive content to the living room. While it sounds like a great idea in theory, users have been disappointed to find that LG has approved a measly 15 widgets since the TVs were released. OpenLGTV.org.ru [...]

The Call for Papers for the second annual HITBSecConf in Europe is now open. Taking place from the 17th through the 20th of May at the NH Grand Krasnapolsky in Amsterdam, HITB2011AMS will be a quad-track conference line up featuring keynote speaker Joe Sullivan (Chief Security Officer of Facebook) and a special keynote panel discussion on The Economics of Vulnerabilities.

The Call for Papers for the second annual HITBSecConf in Europe is now open. Taking place from the 17th through the 20th of May at the NH Grand Krasnapolsky in Amsterdam, HITB2011AMS will be a quad-track conference line up featuring keynote speaker Joe Sullivan (Chief Security Officer of Facebook) and a special keynote panel discussion on The Economics of Vulnerabilities.

Authors: Daniel MendeEnno ReyTags: networkCiscoEvent: Black Hat EU 2010Abstract: The world of "Enterprise WLAN solutions" is full of obscure and "non-standard" elements and technologies. Cisco's solutions, from the early Structured Wireless-Aware Network (SWAN) to the current Cisco Wireless Unified Networking (CUWN) architectures, only partly differ here. In this talk we describe the inner workings of these solutions, dissect the vulnerable parts and discuss theoretical and practical attacks, with some nice demos. A new tool automating a number of attacks (incl. taking over the WDS master role, extracting WPA pairwise master keys from intra-AP communication etc) will be released at Black Hat Europe.

Authors: Daniel MendeEnno ReyTags: networkCiscoEvent: Black Hat EU 2010Abstract: The world of "Enterprise WLAN solutions" is full of obscure and "non-standard" elements and technologies. Cisco's solutions, from the early Structured Wireless-Aware Network (SWAN) to the current Cisco Wireless Unified Networking (CUWN) architectures, only partly differ here. In this talk we describe the inner workings of these solutions, dissect the vulnerable parts and discuss theoretical and practical attacks, with some nice demos. A new tool automating a number of attacks (incl. taking over the WDS master role, extracting WPA pairwise master keys from intra-AP communication etc) will be released at Black Hat Europe.

Authors: Wendel Guglielmetti HenriqueSteve OcepekTags: OracleEvent: Black Hat EU 2010Abstract: In a world of free, ever-present encryption libraries, many penetration testers still find a lot of great stuff on the wire. Database traffic is a common favorite, and with good reason: when the data includes PAN, Track, and CVV, it makes you stop and wonder why this stuff isn’t encrypted by default. However, despite this weakness, we still need someone to issue queries before we see the data. Or maybe not… after all, it’s just plaintext. Wendel G. Henrique and Steve Ocepek of Trustwave’s SpiderLabs division offer a closer look at the world’s most popular relational database: Oracle. Through a combination of downgrade attacks and session take-over exploits, this talk introduces a unique approach to database account hijacking. Using a new tool, thicknet, released at Black Hat Europe, the team will demonstrate how deadly injection attacks can be to database security.

Authors: Wendel Guglielmetti HenriqueSteve OcepekTags: OracleEvent: Black Hat EU 2010Abstract: In a world of free, ever-present encryption libraries, many penetration testers still find a lot of great stuff on the wire. Database traffic is a common favorite, and with good reason: when the data includes PAN, Track, and CVV, it makes you stop and wonder why this stuff isn’t encrypted by default. However, despite this weakness, we still need someone to issue queries before we see the data. Or maybe not… after all, it’s just plaintext. Wendel G. Henrique and Steve Ocepek of Trustwave’s SpiderLabs division offer a closer look at the world’s most popular relational database: Oracle. Through a combination of downgrade attacks and session take-over exploits, this talk introduces a unique approach to database account hijacking. Using a new tool, thicknet, released at Black Hat Europe, the team will demonstrate how deadly injection attacks can be to database security.

Authors: Raoul D'CostaTags: RFIDEvent: Black Hat EU 2010Abstract: With the transition to RFID enabled travel documents (including the ePassport and the eID) in Europe, a correct implementation of the authentication and verification of passport technologies is necessary. The complexity if the technology can cause a myriad of security issues in the identification. Our presentation examines the eMRTD security controls and suggests correct implementations to enable identification as a mechanism. We also examine the dangers of incorrect implementations and the resulting consequences.

Authors: Raoul D'CostaTags: RFIDEvent: Black Hat EU 2010Abstract: With the transition to RFID enabled travel documents (including the ePassport and the eID) in Europe, a correct implementation of the authentication and verification of passport technologies is necessary. The complexity if the technology can cause a myriad of security issues in the identification. Our presentation examines the eMRTD security controls and suggests correct implementations to enable identification as a mechanism. We also examine the dangers of incorrect implementations and the resulting consequences.

This somewhat frightening armature is the base for the iconic energizer bunny. While we love seeing the guts of popular robotics, this brings up an interesting fact. In Europe, the bunny is the symbol for Duracell. There’s an interesting story where Duracell had used the bunny for years in europe, only to inspire Energizer to [...]

Call For Papers for EC2ND - The sixth European Conference on Computer Network Defense (EC2ND) will be held at the Faculty of Electrical Engineering and Computer Science at Berlin Institute of Technology (TU Berlin). The conference brings together researchers from academia and industry within Europe and beyond to present and discuss current topics in applied network and systems security. It will occur from October 28th through the 29th, 2010 in Berlin, Germany.

Call For Papers for EC2ND - The sixth European Conference on Computer Network Defense (EC2ND) will be held at the Faculty of Electrical Engineering and Computer Science at Berlin Institute of Technology (TU Berlin). The conference brings together researchers from academia and industry within Europe and beyond to present and discuss current topics in applied network and systems security. It will occur from October 28th through the 29th, 2010 in Berlin, Germany.

Technical Cyber Security Alert 2010-55A - Malicious activity detected in mid-December targeted at least 20 organizations representing multiple industries including chemical, finance, information technology, and media. Investigation into this activity revealed that third parties routinely accessed the personal email accounts of dozens of users based in the United States, China, and Europe. Further analysis revealed these users were victims of previous phishing scams through which threat actors successfully gained access to their email accounts.

Technical Cyber Security Alert 2010-55A - Malicious activity detected in mid-December targeted at least 20 organizations representing multiple industries including chemical, finance, information technology, and media. Investigation into this activity revealed that third parties routinely accessed the personal email accounts of dozens of users based in the United States, China, and Europe. Further analysis revealed these users were victims of previous phishing scams through which threat actors successfully gained access to their email accounts.

Authors: Steven J. MurdochTags: credit cardbankEvent: Chaos Communication Congress 26th (26C3) 2009Abstract: The Chip Authentication Programme (CAP) has been introduced by banks in Europe to deal with the soaring losses due to online banking fraud. A handheld reader is used together with the customer's debit card to generate one-time codes for both login and transaction authentication. The CAP protocol is not public, and was rolled out without any public scrutiny. We reverse engineered the UK variant of card readers and smart cards and here provide the first public description of the protocol. We found numerous design errors, which could be exploited by criminals. Banks throughout Europe are now issuing hand-held smart card readers to their customers. These are used, along with the customer's bank card, for performing online banking transactions. In this talk I will describe how we reversed-engineered the cryptographic protocol used by these readers, using some custom-designed smart card analysis hardware. We discovered several flaws in this protocol, which could be exploited by criminals (and some already are). This talk will explain what vulnerabilities exist, and what the impact on customers could be.

Authors: Steven J. MurdochTags: credit cardbankEvent: Chaos Communication Congress 26th (26C3) 2009Abstract: The Chip Authentication Programme (CAP) has been introduced by banks in Europe to deal with the soaring losses due to online banking fraud. A handheld reader is used together with the customer's debit card to generate one-time codes for both login and transaction authentication. The CAP protocol is not public, and was rolled out without any public scrutiny. We reverse engineered the UK variant of card readers and smart cards and here provide the first public description of the protocol. We found numerous design errors, which could be exploited by criminals. Banks throughout Europe are now issuing hand-held smart card readers to their customers. These are used, along with the customer's bank card, for performing online banking transactions. In this talk I will describe how we reversed-engineered the cryptographic protocol used by these readers, using some custom-designed smart card analysis hardware. We discovered several flaws in this protocol, which could be exploited by criminals (and some already are). This talk will explain what vulnerabilities exist, and what the impact on customers could be.

Tags: VPNdarknetEvent: Chaos Communication Congress 26th (26C3) 2009Abstract: Building a private network to connect your neighbourhood. Why we feel common solutions are terrible on resources and what we think is better. Get on board. This talk will give you the opportunity to take a look at the shades of grey of interconnecting hackerspaces and people's networks. Mc.Fly presents ChaosVPN, reborn in its darknet-ish approach and gaining momentum from established hackerspaces in the US and Europe with spaces like NYC Resistor, Pumping Station: One, Noisebridge and c-base. The Agora Network will be presented by Aestetix and Eric in covering the community and technical aspects and what to expect. Equinox will show you the white-ish side called dn42 - the old but nice lady that connects mostly german people and younger spaces like sublab and entropia. Leveraging the efforts of the ChaosVPN network in the US is the Agora Network (Currently In Private Beta). By doing this we are not having to duplicate the efforts of every one involved we have settled on a standard platform utilising tincd. With hackerspaces popping up very rapidly and successfully in the US for the last 24 months we find this necessary. Agora is a mesh vpn service that serves to tie them all together on a common intranet. On the network people will be hosting machines for VMs, development, file hosting, PBX phone services, and a number of high performance clusters at the disposal of users which we are currently developing including those provided by node users. In the process several universities in the US have asked to join the network for several research opportunities not previously available to them. dn42 is built with tunnels (OpenVPN, GRE, tinc, etc) and has BGP running over them - the same dynamic routing protocol the internet runs on, albeit with less networks in the routing table. We will shed some light on both the technical and social aspects of dn42. Our walk starts at technical foundations and heads over to what BGP allows us to do on a social level. We'll also see how the flow of traffic can be engineered according to external constraints (think your plain asymmetric DSL at home), and last but not least we'll discuss different cases of maliciousness and how they're treated. While dn42 is our playground for testing and modelling all this stuff, most of it apples to the internet as well. This talk is somewhere around entry to immediate level. You should roughly know what an IP subnet, a route and dynamic routing is.

Tags: VPNdarknetEvent: Chaos Communication Congress 26th (26C3) 2009Abstract: Building a private network to connect your neighbourhood. Why we feel common solutions are terrible on resources and what we think is better. Get on board. This talk will give you the opportunity to take a look at the shades of grey of interconnecting hackerspaces and people's networks. Mc.Fly presents ChaosVPN, reborn in its darknet-ish approach and gaining momentum from established hackerspaces in the US and Europe with spaces like NYC Resistor, Pumping Station: One, Noisebridge and c-base. The Agora Network will be presented by Aestetix and Eric in covering the community and technical aspects and what to expect. Equinox will show you the white-ish side called dn42 - the old but nice lady that connects mostly german people and younger spaces like sublab and entropia. Leveraging the efforts of the ChaosVPN network in the US is the Agora Network (Currently In Private Beta). By doing this we are not having to duplicate the efforts of every one involved we have settled on a standard platform utilising tincd. With hackerspaces popping up very rapidly and successfully in the US for the last 24 months we find this necessary. Agora is a mesh vpn service that serves to tie them all together on a common intranet. On the network people will be hosting machines for VMs, development, file hosting, PBX phone services, and a number of high performance clusters at the disposal of users which we are currently developing including those provided by node users. In the process several universities in the US have asked to join the network for several research opportunities not previously available to them. dn42 is built with tunnels (OpenVPN, GRE, tinc, etc) and has BGP running over them - the same dynamic routing protocol the internet runs on, albeit with less networks in the routing table. We will shed some light on both the technical and social aspects of dn42. Our walk starts at technical foundations and heads over to what BGP allows us to do on a social level. We'll also see how the flow of traffic can be engineered according to external constraints (think your plain asymmetric DSL at home), and last but not least we'll discuss different cases of maliciousness and how they're treated. While dn42 is our playground for testing and modelling all this stuff, most of it apples to the internet as well. This talk is somewhere around entry to immediate level. You should roughly know what an IP subnet, a route and dynamic routing is.

Authors: Jérémie ZimmermannTags: net neutralityEvent: Chaos Communication Congress 26th (26C3) 2009Abstract: Net neutrality is an essential safeguard for competition, innovation, and fundamental freedoms. The debate is high in the US with the announce of FCC non discrimination principles (even if they sound irremediably bound to the interests of Hollywood industry). In the EU, the "Telecoms Package" has been the ground of intense debates on the issue. Dangerous provisions were voted, yet a very high level of awareness was raised, giving hope into further positive outcome of the debate. Why one shall care? What one can do about it? What is Net neutrality? Why is it crucial for the future of our online societies? What is the current state of Net neutrality legislation in the EU? What campaigns from civil societies, with what results? What will be the next steps? Net neutrality has been an indispensable catalyst of competition, innovation, and fundamental freedoms in the digital environment. A neutral Internet ensures that users face no conditions limiting access to applications and services. Likewise, it rules out any discrimination against the source, destination or actual content of the information transmitted over the network. Thanks to this principle, our society collectively built the Internet as we know it today. Except in some authoritarian regimes, everyone around the globe has access to the same Internet, and even the smallest entrepreneurs are on equal footing with the leading global enterprises. Moreover, Net neutrality stimulates the virtuous circle of a development model based on the growth of a common communication network that enables new uses and tools, as opposed to one relying on investments in filtering and controlling. Only under such conditions is Internet continuously improving our societies, enhancing freedom — including the freedom of expression and communication — and allowing for more efficient and creative markets. However, Net neutrality is now under the threat of telecom operators and content industries that see business opportunities in discriminating, filtering or prioritizing information flowing through the network. All around Europe, these kind of discriminatory practices, detrimental to both consumers and innovation, are emerging. No court or regulator seems to have adequate tools to counter these behaviors and preserve the general interest. Some provisions introduced in the EU "Telecoms Package" could even encourage such practices. We who build, use and love the Internet must be aware and active to protect it.